Professionals 'Lack Time' or Ignore Critical Patch Application

Around 40% of organizations ignore critical security issues when they don’t know how to fix them, or don’t have the time to address them.

According to research by Outpost24, of 155 people surveyed, 26% lack the time and 16% ignore issues. Also, 47% apply patches immediately, 16% apply them monthly, 7% quarterly and 5% only twice a year.

In an email to Infosecurity, security consultant Ben Tomhave said that those people who say they're patching immediately “are probably lying, or they're not supporting environments that are overly sensitive on uptime or software integration.” He claimed that those who patch slower are likely very traditional shops that can't get testing done any faster.

As an example, he pointed to the fact that Oracle still does quarterly patches, which was a challenge until he worked at a software company “that had tons of stuff built on Oracle.”

He said: “It turns out that you must do QA/integration testing on all those patches before rolling out because they almost always break functionality. This is still current practice with Oracle patches.”

Respondents to the survey were also asked if security testing is conducted on their enterprises systems, which revealed that 7% fail to conduct any security testing whatsoever. However, 79% said that they do carry out testing, with 68% using the services of penetration testers.

Bob Egner, VP at Outpost24, said: “To maximize the value of testing investment, remediation action should be taken as close to the time of testing as possible. The proliferation of connected technologies, the knowledge and resource gap continue to be key challenges. Security staff can easily become overwhelmed and lose focus on the remediation that can be most impactful to the business.”

Tomhave said that another consideration is DevOps; specifically, the cultural change that facilitates continuous integration and development pipelines and heavy automation.

“The answer for production servers is to be able to automate integration and testing, as well as the ability to do A/B (or green/blue) deployments where you automatically patch a golden image, then push it out through the automated integration, build, and deployment process to ramp up new resources, or rapidly flag it back to dev to fix specific integration issues,” he said.

“As such, automation is part of the answer, but again really just as it applies to servers. For user endpoints, mobile devices, and IoT, almost certainly that should all be automated and pushed asap (provided there's a rollback option).”

Marten Mickos, CEO of HackerOne, said: “We see over and over the impact of known vulnerabilities that go unpatched with exceptional cases like the Equifax breach, and it is fantastic news that 58% of IT professionals do not ignore these critical security issues. It can take around 22 days to create an exploit for a known vulnerability so we must make it easier for organizations to prioritize fixes to protect their customers.”